ezplatform-graphql GraphQL queries can expose password hashes

Vulnerability

Description

CVE-2022-41876 is an insecure storage vulnerability in ezplatform-graphql, the GraphQL server implementation for Ibexa DXP and Ibexa Open Source. The GraphQL endpoint exposes sensitive fields of user objects, including password hashes, hash types, email addresses, and login names, to unauthenticated queries [1][2][3]. This occurs because the passwordHash field is included in the GraphQL schema without access controls.

Exploitation

An unauthenticated attacker can send GraphQL queries to retrieve user account data. The vulnerability affects users who have created or modified content, which typically includes administrators and editors, but can also affect regular users in installations that allow user-generated content [2]. No authentication is required to exploit this issue.

Impact

Successful exploitation allows an attacker to obtain password hashes (not plaintext passwords) of affected users. While hashes cannot be directly used for login, they can be subjected to offline brute-force or dictionary attacks. Combined with other exposed data (e.g., email, login), this significantly increases the risk of account compromise [2][3].

Mitigation

The vulnerability is patched in versions 2.3.12 (2.x branch) and 1.0.13 (1.x branch) [1]. For users unable to upgrade, a workaround involves removing the passwordHash entry and other sensitive fields from the GraphQL type configuration file [3]. Affected users should change their passwords, and administrators can expire passwords using a provided console command [2].